What Is ‘Surveillance for Hire’?

After Meta (Facebook) recently reported alerting 50,000 people that it believed were being targeted by “surveillance-for-hire” entities, we take a look at who these entities are and what they do.

Meta’s Report

Following months of investigation, Meta recently informed 50,000 people that they were being targeted by seven “surveillance-for-hire” entities / “cyber mercenaries” who were targeting people in over 100 countries on behalf of their clients. It has been reported that Meta has issued cease-and-desist warnings against six of the seven entities it identified. The seventh is known to be in China, but couldn’t be identified.

What Does “Surveillance-For-Hire” Mean?

The surveillance-for-hire industry comprises companies that employ a combination of social engineering and technology to monitor and gather information about, and sometimes from, individuals on behalf of their clients. In the case of Meta’s investigation, these companies are described as entities that use “intrusive software tools and surveillance services indiscriminately to any customer, regardless of who they target, or the human rights abuses they might enable”. Surveillance-for-hire companies claim to use their surveillance services to tackle criminals and terrorists, but offer their services to many government and non-government groups that otherwise wouldn’t have these capabilities, as well as private individuals, law firms, businesses, politicians and even law enforcement agencies. Meta’s investigation also claims that these surveillance companies target journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists.

Examples

Examples of surveillance-for-hire companies/cyber mercenaries include:

– Black Cube. Although it recently described itself as simply a “litigation support firm”, it is one of the companies identified recently by Meta. Black Cube was founded by former Mossad veterans from the Israeli intelligence agency. Meta suggested that Black Cube used fictitious personas to contact targets and obtain email addresses for phishing attacks (which Black Cube denies). Black Cube has previously made the news following reports by the New Yorker in 2017 that Harvey Weinstein used it to surveil reporters covering allegations about his assaults.

– NSO. Meta identified this company as being behind Pegasus spyware, a software used to enable surveillance, which it sued in 2019, and Apple has also sued.

– Cognyte. Based in Israel, Meta claims that Cognyte sells access to its platform, which enables the management of fake accounts across social media platforms, including Facebook, Instagram, Twitter, YouTube, and VKontakte (VK), as well as other websites, to social-engineer people and collect data.

– Bluehawk CI. Based in Israel with offices in the UK and the US, Meta states that Bluehawk offers a range of surveillance-for-hire services, including social engineering, gathering litigation-related intelligence about individuals, and managing fake accounts to trick them into installing malware. Meta alleges that the fake accounts pose as journalists working for media organisations like La Stampa (Italy) and Fox News (US) to trick targets into giving an on-camera interview.

– Cobwebs Technologies. Founded in Israel with offices in the United States, Meta states that Cobwebs Technologies offers access to its platform, which enables reconnaissance across the internet, including Facebook, Instagram, WhatsApp, Twitter, Flickr, public websites, and “dark web” sites. Meta also claims that the accounts used by Cobwebs customers also engage in social engineering to join closed communities and forums and trick people into revealing personal information.

Issues

Some of the issues raised by Meta’s recent investigation, which has shed light on the entities in the surveillance-for-hire industry, include:

– Their services are indiscriminately sold to anyone willing to pay, including known bad actors.

– They work across many platforms and national boundaries.

– Both nation-states and private enterprises use their capabilities. This means that they lower the barrier to entry for anyone willing to pay.

– It is often impossible for targets to know they are being surveilled across the internet.

What Does This Mean For Your Business?

The scale of this industry, as identified in Meta’s report, indicates that this dark surveillance is widespread. The fact that many different companies sell their services indiscriminately, often operating in secrecy, makes it difficult to trace activity back to the client. Additionally, with these entities operating across multiple platforms and national boundaries, a collective effort from platforms, policymakers, and civil society, as well as public discussion about the use of surveillance-for-hire technology, is now necessary to ensure greater transparency and oversight, thereby helping to protect people. Additionally, as suggested by Meta, industry collaboration, as well as more governance and regulator-led conversations about the ethics of these companies, could help protect their targets.